Issues with Android's Stagefright media playback engine, reported yesterday by Zimperium researchers, lead today's news. The Stagefright vulnerability is being called "Heartbleed for Mobile," and could be exploited via MMS requiring no user interaction. The basic problem is said to be Stagefright's "overprivileged" status. Both Silent Circle and Mozilla have patched their Android platforms; Google is expected to push out a fix soon. But in the meantime, see early notes on device protection from LIFARS and Sophos.
A vulnerability in Apple's App Store and iTunes is also reported (by researchers at Vulnerability Lab). Apple has issued a patch.
Symantec publishes a comprehensive report on the "Black Vine" cyberespionage group, watering-hole specialists implicated in the Anthem breach (and several other intrusions at energy, healthcare, and aerospace companies). Symantec connects Black Vine to the Beijing-based IT-security organization Topsec.
PHP File Manager seems "riddled with vulnerabilities," including a backdoor.
Cyphort reports an upsurge in malvertising infections.
New phishing campaigns are targeting Google Drive users, some with persuasive spoofing, reports Elastica.
New York magazine, hacked by some guy who seems to dislike the Big Apple, gets applauded for the resiliency of its response, much enabled by its social media presence.
The diverse vulnerabilities disclosed this week might prompt some reflection on how to handle such discoveries. Contrast Arbor Networks (more mainstream) commentary with Zerodium's (a minority, if arguably defensible, view). Also consider recent disclosures in the light of proposed Wassenaar implementation.
Companies face increasing data breach liability; insurers seek surrogates for historical actuarial data.